Surprisingly, Google has now also committed itself to end-to-end encryption in the FIDO concept for password succession. Two out of three – still remains …
In the future, it will be possible to log into online services securely from all of one’s devices without a password, promises the Alliance for Fast IDentity Online (FIDO). A paradigm shift is now emerging in the synchronization of FIDO identities via the cloud: this could be done in an end-to-end encrypted manner – i.e. without the cloud operators gaining access to it. After Apple, Google has now surprisingly also committed itself to this.
FIDO has designed a technically sophisticated concept for logging on to Internet services based on asymmetric cryptography and challenge-response methods that is significantly more secure than passwords and convenient to boot. In order to actually replace passwords, the company wants users to be able to use their FIDO identity on all their devices in the future – on their smartphone as well as on their PC. To do this, a secret key must be distributed to all these devices, which, according to FIDO, is to be done via the infrastructure of the major platform providers – i.e. primarily Google, Apple and Microsoft. All three have also already committed to making it happen.
Who all is reading?
A key question here is whether that happens in a way where corporations get access to those secrets. After all, these FIDO keys are supposed to define the identity of users in the future and grant access to all their accounts. FIDO does not make any specifications, but leaves this completely up to the platform providers. “At this time, we don’t have any specific labeling planned for how device and cloud platforms implement Passkey” explained Andrew Shikiar, Executive Director of the FIDO Alliance when we asked if that would be apparent to users.
And at least Microsoft and Google preferred to store passwords in such a way that they themselves also had access to them. They even argued that this was in the interest of their customers. Only Apple chose a different way, which ensured that only the users themselves actually have access to their own passwords.